678660 – RelEng Weekly Key broken

Bug 678660 - RelEng Weekly Key broken

Summary: RelEng Weekly Key broken

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Release Media
Classification:	Unclassified
Component:	Stages (show other bugs)
Hardware:	All All

Importance:	Normal major
Assignee:	Gentoo Release Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-24 08:40 UTC by Sebastian Hamann
Modified:	2019-02-24 14:42 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Hamann 2019-02-24 08:40:06 UTC

Currently, signatures made by the Release Engineering Weekly key can not be validated due to incorrect key usage. This breaks verifying currently available stage archives and release media.
It does work with an older version of the key.

During the installation process, I downloaded the key from the keyserver pool (see below).
The key, when listed by gnupg, looks like this:

pub   rsa4096 2009-08-25 [C] [expires: 2020-01-01]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
sub   rsa2048 2019-02-23 [S] [expires: 2020-01-01]
      534E4209AB49EEE1C19D96162C44695DB9F6043D

The root key is for certification only and a very fresh subkey is for signing. Current stages, however, are older that this subkey, were signed by the root key  and can not be verified with this key (see below).

On my existing Gentoo installation, I have an older copy of the key (from =app-crypt/openpgp-keys-gentoo-release-20190102). It does not have a subkey and the root key is usable for signing:

pub   rsa4096 2009-08-25 [SC] [expires: 2019-08-22]
      13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
uid           [ unknown] Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

Using this key, I can verify the signature as expected (see below).

So, right now the installation process is broken for people who want to verify signatures and do not have an existing Gentoo installation at hand.
Please change the key on the keyservers to allow verification of old signatures, at least for some grace period.

Reproducible: Always

Steps to Reproduce:
1. gpg --keyserver hkps://hkps.pool.sks-keyservers.net --recv-keys 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
2. wget https://gentoo.osuosl.org/releases/amd64/autobuilds/20190221T214502Z/stage3-amd64-20190221T214502Z.tar.xz.DIGESTS.asc
3. gpg --verify stage3-amd64-20190221T214502Z.tar.xz.DIGESTS.asc
Actual Results:  
gpg: Signature made Fri Feb 22 01:45:08 2019 UTC
gpg:                using RSA key 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
gpg: bad data signature from key BB572E0E2D182910: Wrong key usage (0x01, 0x4)
gpg: Can't check signature: Wrong key usage


Expected Results:  
gpg: Signature made Fri Feb 22 02:45:08 2019 CET
gpg:                using RSA key 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910

Comment 1 Michał Górny archtester

2019-02-24 08:50:04 UTC

I'm sorry about the problem.  I'm going to mask the new key package right now, and fix the primary key ASAP (which may take a few hours).

Comment 2 Larry the Git Cow gentoo-dev

2019-02-24 08:53:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c244672ad0665a3b0a2c08430e2ca4dfc4f5b82

commit 8c244672ad0665a3b0a2c08430e2ca4dfc4f5b82
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-02-24 08:51:42 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-02-24 08:53:28 +0000

    package.mask: Mask new openpgp-keys-gentoo-release
    
    Bug: https://bugs.gentoo.org/678660
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2019-02-24 14:42:56 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a81d814700606b4d1ac1bb38059a94b587b79c1

commit 4a81d814700606b4d1ac1bb38059a94b587b79c1
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-02-24 14:42:21 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-02-24 14:42:48 +0000

    app-crypt/openpgp-keys-gentoo-release: Cover releng key with tests
    
    Include two test cases for the releng key: one using the new subkey,
    and one using the primary key directly (old stage checksum).
    
    Closes: https://bugs.gentoo.org/678660
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-crypt/openpgp-keys-gentoo-release/Manifest                          | 1 +
 .../openpgp-keys-gentoo-release-20190224.ebuild                         | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32163c353a37fcc901fcacab23e8dcd0389be6c3

commit 32163c353a37fcc901fcacab23e8dcd0389be6c3
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-02-24 14:32:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-02-24 14:42:48 +0000

    app-crypt/openpgp-keys-gentoo-release: Roll 20190224; fix releng key
    
    Closes: https://bugs.gentoo.org/678660
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 app-crypt/openpgp-keys-gentoo-release/Manifest     |  1 +
 .../openpgp-keys-gentoo-release-20190224.ebuild    | 41 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)